BoomBox

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
BoomBox, tracked by Microsoft as a malicious downloader, represents a significant threat in the landscape of malware. This harmful program infiltrates systems and exploits them for various nefarious purposes. It operates by first downloading an encrypted file from a Dropbox account controlled by the actor. After successfully downloading the file, BoomBox discards the first 10 bytes from the header and 7 bytes from the footer, then decrypts the rest of the file using a hardcoded encryption key and IV value. The decrypted file is subsequently written to the file system at %AppData%\Microsoft\NativeCache\NativeCacheSvc.dll. The operation of BoomBox is characterized by its use of trusted channels and a unique infection chain, including tools such as EnvyScout, NativeZone, and VaporRage. As part of its reconnaissance steps, if the system it has infiltrated is domain-joined, BoomBox executes an LDAP query to gather data such as distinguished name, SAM account name, email, and display name of all domain users. Following this, BoomBox downloads a second encrypted file from Dropbox, again discarding certain bytes before decryption. Once the data is collected, BoomBox masquerades the information as a PDF file, appending and prepending the magic markers for PDF to the AES-encrypted host information string. The malware then uploads this data to a dedicated-per-victim-system folder in Dropbox, even proceeding if the upload operation is unsuccessful. To verify the success of the upload, BoomBox uses regular expression values to check the HTTP response from Dropbox. This intricate process underscores the complexity and sophistication of the BoomBox malware.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the BoomBox Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Breaking down NOBELIUM’s latest early-stage toolset - Microsoft Security Blog